[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 57/04 - US-CERT Security Bulletin - HTTP Parsing Vulnerabilities in Check Point Firewall-1



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 57/04 dated 06.02.04  Time: 11:45
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

US-CERT Security Bulletin:

HTTP Parsing Vulnerabilities in Check Point Firewall-1


Detail
====== 

Several versions of Check Point Firewall-1 contain a vulnerability that allows 
remote attackers to execute arbitrary code with administrative privileges. This 
allows the attacker to take control of the firewall, and in some cases, to also 
control the server it runs on.

- ----------------------------------------------------------------------------------


HTTP Parsing Vulnerabilities in Check Point Firewall-1

   Original release date: February 05, 2004
   Last revised: --
   Source: US-CERT

   A complete revision history can be found at the end of this file.

Systems Affected

     * Check Point Firewall-1 NG FCS
     * Check Point Firewall-1 NG FP1
     * Check Point Firewall-1 NG FP2
     * Check Point Firewall-1 NG FP3, HF2
     * Check Point Firewall-1 NG with Application Intelligence R54
     * Check Point Firewall-1 NG with Application Intelligence R55

Overview

   Several versions of Check Point Firewall-1 contain a vulnerability that
   allows remote attackers to execute arbitrary code with administrative
   privileges. This allows the attacker to take control of the firewall,
   and in some cases, to also control the server it runs on.

I. Description

   The Application Intelligence (AI) component of Check Point Firewall-1
   is an application proxy that scans traffic for application layer
   attacks once it has passed through the firewall at the network level.
   Earlier versions of Firewall-1 include the HTTP Security Server, which
   provides similar functionality.

   Both the AI and HTTP Security Server features contain an HTTP parsing
   vulnerability that is triggered by sending an invalid HTTP request
   through the firewall. When Firewall-1 generates an error message in
   response to the invalid request, a portion of the input supplied by the
   attacker is included in the format string for a call to sprintf().

   Researchers at Internet Security Systems have determined that it is
   possible to exploit this format string vulnerability to execute
   commands on the firewall. The researchers have also determined that
   this vulnerability can be exploited as a heap overflow, which would
   allow an attacker to execute arbitrary code. In either case, the
   commands or code executed by the attacker would run with administrative
   privileges, typically "SYSTEM" or "root". For more information, please
   see the ISS advisory at:

          http://xforce.iss.net/xforce/alerts/id/162

   The CERT/CC is tracking this issue as VU#790771. This reference number
   corresponds to CVE candidate CAN-2004-0039.

II. Impact

   This vulnerability allows remote attackers to execute arbitrary code on
   affected firewalls with administrative privileges, typically "SYSTEM"
   or "root". Failed attempts to exploit this vulnerability may cause the
   firewall to crash.

III. Solution

   Apply the patch from Check Point

   Check Point has published a "Firewall-1 HTTP Security Server Update"
   that modifies the error return strings used when an invalid HTTP
   request is detected. For more information, please see the Check Point
   bulletin at:

     http://www.checkpoint.com/techsupport/alerts/security_server.html

   This update prevents attackers from using several known error strings
   to exploit this vulnerability. It is unclear at this time whether there
   are other attack vectors that may still allow exploitation of the
   underlying software defect.

   Disable the affected components

   Check Point has reported that their products are only affected by this
   vulnerability if the HTTP Security Servers feature is enabled.
   Therefore, affected sites may be able to limit their exposure to this
   vulnerability by disabling HTTP Security Servers or the Application
   Intelligence component, as appropriate.
     _________________________________________________________________

   This vulnerability was discovered and researched by Mark Dowd of ISS
   X-Force.
     _________________________________________________________________

   This document was written by Jeffrey P. Lanza.
     _________________________________________________________________

   This document is available from:
   http://www.us-cert.gov/cas/techalerts/TA04-036A.html
     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University.

   Revision History
   Feb 05, 2004:  Initial release

- -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.
Subscriptions are managed by the FIRST Secretariat <first-sec@xxxxxxxxx>.
- -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of US-CERT for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQCOKcYpao72zK539AQGhkQQAif+ZRifPeperJAychMk1tlyCGLFvtw8R
3RrIVdKxU/39GTHVrB85OVzzMCbpxzrYY7mj1kVPiX/gB2Zg7g0n+9A7uGByOH/Y
5w2z4UcSCZ9Selg/CXsjebbVFRQAw0JxsMj/fz32yoe/Q+s98i39JvpWRqpOLQsK
dI2PAX0+sxU=
=L5pG
-----END PGP SIGNATURE-----